![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
Linking deterrence theory to cybersecurity policy and critical-infrastructure protection is easier said than done. Recent cybersecurity incidents involving the United States, China, Russia, and North Korea illustrate the yawning gap between cyber deterrence expectations, applications, and results. This article draws on classical deterrence theory to illustrate how the logic of deterrence applies to cybersecurity policy and strategy. By differentiating between physical and digital critical infrastructure protection, the article explores the promises and pitfalls of cyber deterrence in practice. Seven limitations are explored in detail, including: denying digital access, commanding cyber retaliation, observing deterrence failure, thwarting cyber misfits, addressing the cyber power of weakness, attributing cyber attacks, and solidifying red lines.
Notes on contributor
Alex Wilner ([email protected]) is an assistant professor of international affairs at the Norman Paterson School of International Affairs (NPSIA), Carleton University, Ottawa, Canada. He teaches graduate classes on intelligence, international affairs, terrorism, and strategic foresight. His books include Deterring Rational Fanatics (Philadelphia: University of Pennsylvania Press, 2015) and Deterring Terrorism: Theory and Practice, edited with Andreas Wenger (Stanford, CA: Stanford University Press, 2012), and he has published articles in International Security, NYU Journal of International Law and Politics, Security Studies, Journal of Strategic Studies, Comparative Strategy, and Studies in Conflict and Terrorism. Prior to joining NPSIA, Professor Wilner held a variety of positions at Policy Horizons Canada (Government of Canada), the Munk School of Global Affairs at the University of Toronto, the National Consortium for the Study of Terrorism and Responses to Terrorism (START) at the University of Maryland, and the ETH Zurich, Switzerland. He received a prestigious SSHRC Insight Development Grant in 2016 from the Government of Canada to explore cyber deterrence at the state and non-state level. This article stems from Prof. Wilner's 2016 SSHRC Grant.
Notes
1. Michael Shear and Julie Hirschfeld Davis, “Trump, on YouTube, Pledges to Create Jobs,” New York Times, November 21, 2016.
2. Donald J. Trump, “Cybersecurity,” Campaign Website, 2016, https://www.donaldjtrump.com/policies/cyber-security (accessed December 2016).
3. The literature on deterrence is expansive. A selection of the books and volumes that highlight the field—both old and new—include: Glenn Snyder, Deterrence and Defense: Toward a Theory of National Security (Princeton, NJ: Princeton University Press, 1961); Thomas Schelling, Arms and Influence (New Haven: Yale University Press, 1966); Alexander George and Richard Smoke, Deterrence in American Foreign Policy: Theory and Practice (New York: Columbia University Press, 1974); Patrick Morgan, Deterrence: A Conceptual Analysis (Beverly Hills, CA: Sage Publications, 1977); Robert Jervis, Richard Ned Lebow, and Janice Gross Stein, Psychology and Deterrence (Baltimore: Johns Hopkins University Press, 1985); Keith Payne, Deterrence in the Second Nuclear Age (Lexington: University of Kentucky Press, 1996); Robert Art and Patrick Cronin. eds., The United States and Coercive Diplomacy (Washington, DC: U.S. Institute of Peace 2003); Patrick Morgan, Deterrence Now (Cambridge: Cambridge University Press, 2003); Lawrence Freedman, Deterrence (Malden: Political Press 2004); T. V. Paul, Patrick M. Morgan, and James J. Wirtz, eds., Complex Deterrence: Strategy in the Global Age (Chicago: University of Chicago Press, 2009); Martin Libicki, Cyberdeterrence and Cyberwar (Washington, DC: RAND 2009); Martin Libicki, Conquest in Cyberspace (Cambridge, UK: Cambridge University Press, 2007); Benjamin Sutherland (ed.), Modern Warfare, Intelligence, and Deterrence (Hoboken, NJ: John Wiley & Sons, 2011); Andreas Wenger and Alex Wilner, eds. Deterring Terrorism: Theory and Practice (Stanford, CA: Stanford University Press, 2012); P.W. Singer and Allan Friedman Cybersecurity and Cyberwar (Oxford: Oxford University Press, 2014); Alex Wilner, Deterring Rationale Fanatics (Philadelphia: University of Pennsylvania Press, 2015); Brian Mazanec and Bradley Thayer, Deterring Cyber Warfare (New York, NY: Palgrave, 2015); Anne-Marie Slaughter, The Chessboard and the Web: Strategies of Connection in a Networked World (New Haven: Yale University Press, 2017); and Robert Mandel, Optimizing Cyberdeterrence: A Comprehensive Strategy for Preventing Foreign Cyberattacks (Washington, DC: Georgetown University Press, 2017).
4. Alex Wilner, “Contemporary Deterrence Theory and Counterterrorism: A Bridge Too Far?” New York University Journal of International Law and Politics 47 (2015): 451–452.
5. Other forms of deterrence, like extended deterrence and triadic deterrence, add a third necessary player—the protégé, proxy, or ally. Alex Wilner, “The Dark Side of Extended Deterrence: Thinking through the State Sponsorship of Terrorism,” Journal of Strategic Studies 40, no. 1 (2017): 4–5; Franklin D. Kramer, Robert J. Butler, and Catherine Lotrionte, “Cyber, Extended Deterrence, and NATO,” Atlantic Council Issue Brief (May 2016): 5–6; Boaz Atzili and Wendy Pearlman, “Triadic Deterrence: Coercing Strength, Beaten by Weakness,” Security Studies 21, no. 2 (2012): 302–305.
6. In a 2017 report on cyber deterrence, the U.S. Department of Defense's Defense Science Board rebranded deterrence by punishment as “deterrence by cost imposition.” Different title; roughly the same definition. U.S. Department of Defense, Defense Science Board, Task Force on Cyber Deterrence (Washington, DC: Author, February 2017), 3.
7. Government of the United States, The National Infrastructure Protection Plan: Partnering for Critical Infrastructure Security and Resilience (Washington, DC: Author, 2013). The White House, “Presidential Policy Directive: Critical Infrastructure Security and Resilience,” Presidential Policy Directive/PPD-21 (Washington, DC: Author, February 2013).
8. Benjamin Wittes and Gabriella Blum, Future of Violence: Germs, Hackers, and Drones (New York: Basic Books, 2015), 17–44; Cheryl Pellerin, “DARPA: Autonomous Bug-Hunting Bots Will Lead to Improved Cybersecurity,” DOD News, August 7, 2016; and John Markhoff and Matthew Rosenberg, “China's Intelligent Weaponry Gest Smarter,” New York Times, February 3, 2017.
9. Symantec, Internet Security Threat Report, 21 (April 2016): 8–9.
10. U.S. Senate Confirmation Hearing, Advanced Policy Questions for James Mattis, January 12, 2017; CSPAN, Defense Secretary Nominee General James Mattis, Archived Videos, published January 15, 2017, https://archive.org/details/CSPAN_20170115_201400_Defense_Secretary_Nominee_General_James_Mattis_Says_Russia_Trying_to_Break…/start/2700/end/2760.
11. Jon Lindsay, “Stuxnet and the Limits of Cyber Warfare,” Security Studies 22, no. 3 (2013): 379–380.
12. Brendan Koerner, “Inside the Cyberattack that Shocked the US Government,” Wired, October 23, 2016.
13. Ellen Nakashima and Adam Goldman, “CIA Pulled Officers from Beijing after Breach of Federal Personnel Records,” Washington Post, September 29, 2015.
14. For the latest cyber iteration of cumulative deterrence, see Uri Tor, “‘Cumulative Deterrence’ as a New Paradigm for Cyber Deterrence,” Journal of Strategic Studies 40, no. 1 (2017): 92–117.
15. Ellen Nakashima, “CIA Web site Hacked,” Washington Post, June 15, 2011.
16. Amir Lupovici, “Cyber Warfare and Deterrence: Trends and Challenges in Research,” Military and Strategic Affairs 3, no. 3 (2011): 52.
17. Defense Science Board, Task Force, 13–14.
18. Joseph S. Nye, Jr., “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (2016/17), 50.
19. David Clark and Susan Landau, “Untangling Attribution,” Harvard Law School National Security Journal 2 (2011), http://harvardnsj.org/wp-content/uploads/2011/02/Vol-2-Clark-Landau.pdf; Jon Lindsay, “Tipping the Scales: The Attribution Problem and the Feasibility of Deterrence against Cyberattack,” Journal of Cybersecurity 1, no. 1 (2015): 56; Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38, nos. 1/2 (2015): 5–8.
20. The White House, “Presidential Policy Directive: United States Cyber Incident Coordination,” July 26 2016.
21. U.S. National Intelligence Council, “Assessing Russian Activities and Intentions in Recent US Elections,” Intelligence Community Assessment, January 6, 2017; Matthew Rosenberg et al., “Obama Administration Rushed to Preserve Intelligence of Russian Election Hacking,” New York Times, March 1, 2017.
22. Ibid., ii.
23. Washington Post, “Full Transcript: FBI Director James Comey Testifies on Russian Interference in 2016 Election,” March 20, 2017.
24. David Sanger, “US Wrestles with How to Fight Back against Cyberattacks,” New York Times, July 30, 2016.
25. Eric Lipton, David Sanger, and Scott Shane, “The Perfect Weapon: How Russian Cyberpower Invaded the US,” New York Times, December 13, 2016; Eric Lipton, “How We Identified the D.N.C. Hack's ‘Patient Zero,’” New York Times, December 20, 2016.
26. U.S. Department of the Treasury, “Issuance of Amended Executive Order 13694; Cyber-Related Sanctions Designations,” December 2016; Neil MacFarquhar, “Vladimir Putin Won't Expel US Diplomats as Russian Foreign Minister Urged,” New York Times, December 30, 2016.
27. Sanger, “US Wrestles,”; Mike Levine, “China is ‘Leading Suspect’ in Massive Hack of US Government Networks,” ABC News, June 25, 2016.
28. The White House, “Remarks by the President in Year-End Press Conference,” December 19, 2014.
29. BBC News, “Sony Cyber-Attack: North Korea Faces New US Sanctions,” January 3, 2015.
30. Julie Hirschfeld Davis and David Sanger, “Obama and Xi Jinping of China Agree to Steps on Cybertheft,” New York Times, September 25, 2015; David Sanger, “Chinese Curb Cyberattacks on US Interests, Report Finds,” New York Times, June 20, 2016.
31. Lipton et al., “The Perfect Weapon.”
32. Maggie Haberman et al., “Kushner Is Said to Have Discussed a Secret Chanel to Talk to Russia,” New York Times, May 26, 2017.
33. CSPAN, archive videos, 2017.
34. The White House, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 11, 2017.
35. Following allegations of Russian interference in the U.S. election, France, The Netherlands, Germany, Britain, and Norway all later fingered Russia for similarly meddling in their own national and domestic affairs. Andrew Higgins, “Fake News, Fake Ukrainians: How a Group of Russians Tilted a Dutch Vote,” New York Times, February 16, 2017; Melissa Eddy, “After a Cyberattack, Germany Fears Election Disruption,” New York Times, December 8, 2016; Rachel Donadio, “Why the Macron Hacking Attack Landed with a Thud in France,” New York Times, May 8, 2017.